Closed barrywoolgar closed 1 week ago
No.
The "bug" they submitted is only tested on the live demo website and is caused by the live demo not having any authentication or authorization. Which is of course purposefully disabled for demo purposes...
This is not present in the Spina gem and has nothing to do with it. I've been unable to have this CVE removed. I have also never been contacted by the individual that published this CVE. It's a scam sadly.
I'm planning on re-adding password authentication to our live demo site and releasing a new version of the Spina gem just to clear this up.
Thank you for the rapid response, and the context missing from the official CVE pages.
We use automated tooling to make sure we're addressing vulnerabilities (real or imagined!) so it is great to hear that there's a straightforward solution to this.
Please could this issue stay open until the new version is released?
Agreed!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Please can this be re-opened until the CVE is resolved?
This CVE does not apply to the Spina gem, it's garbage. I don't know how to prevent someone from submitting this.
I totally agree with your earlier assessment, but you also proposed a simple workaround:
Many thanks!
I deleted the live demo and opened a PR for v2.19: https://github.com/SpinaCMS/Spina/pull/1394
Hello
Is there a fix available (or planned) for CVE-2024-7106?
At the moment Bundler Audit is recommending we "remove or disable this gem until a patch is available", which isn't much of a long-term solution!
Many thanks